January 26, 2015

Beijing, China

 

Mr. Lu Wei

Director of the Cyberspace Administration of the People’s Republic of China 中央网络安全和信息化领导小组办公室主任

Director of the State Internet Information Office 国家互联网信息办公室主任

Deputy Director of the Central Propaganda Department of the Chinese Communist Party 中共中央宣传部副部长

Cyberspace Administration of China,

Floor 1, Building 1,

Software Park, Chinese Academy of Sciences,

4 South 4th Street, Zhongguancun,

Beijing, China, 100190

 

Dear Mr. Lu,

On January 22, 2015, the Cyberspace Administration of China (CAC), which is under your direct control, wrote a response to a story we published about an MITM attack on Microsoft. In the post, your colleague, Jiang Jun, labelled our accusations as "groundless" and  "unsupported speculation, a pure slanderous act by overseas anti-China forces".

We at GreatFire.org take great offense to these comments and we will refute them in this letter.

We do not level accusations against CAC lightly. We took great lengths to provide data collected during the attack to back up our claims. Multiple reports confirmed our analysis, including screenshots and tests posted by Chinese internet users as well as independent analysis from security experts.

We have reported on previous MITM attacks against iCloud, Yahoo, Microsoft and Google, all of which have been confirmed by the respective companies. We have also asked independent security experts to examine the data we or Chinese users captured during each MITM attack. Please see the independent data analysis in each instance here: Outlook, iCloud, Google, Yahoo, Github. In each case the conclusions are similar:

Our conclusion is that this was a real attack on Microsoft's email service. Additionally, the attack is very similar to previous nationwide Chinese attacks on SSL encrypted traffic, such as the attack on Google a few months ago.   

Two independent security experts contacted by Reuters said GreatFire's report appeared credible.

"All the evidence I've seen would support that this is a real attack," said Mikko Hypponen, chief research officer at security software developer F-Secure.

To be more specific, it appears as if the MITM attacks are being performed on backbone networks belonging to China Telecom (CHINANET) as well as China Unicom.  

All evidence indicates that a MITM attack is being conducted against traffic between China’s nationwide education and research network CERNET and www.google.com.

The fact that the MITM machine was six hops away from the user indicates that the MITM is taking place at some fairly central position in China's internet infrastructure, as opposed to being done locally at the ISP.

We have noted your department's denial of involvement in the Outlook MITM attack. However, Jiang Jun acknowledges that an attack took place. We assume that by proclaiming your innocence, you believe that others are responsible for the attack.

If CAC is not responsible for the attack, nor complicitly letting it happen, can you please explain how “hostile forces” can tap into the backbone of Chinese Internet and implement nationwide MITM attacks six times over the past two years?

Why did CAC not launch an investigation after you denied any involvement in a MITM attack against Apple’s iCloud in October, 2014? Do note that your colleague Mr. Jiang states:

The Chinese government is a staunch advocate for cyber security and stands firmly against any sort of cyber attack. China will crack down on online offensive maneuvers initiated in China and those launched via Chinese Internet infrastructure in line with law.

Can you please explain, Mr. Lu, how CAC has cracked down on these “offensive maneuvers”? How come your department is censoring reports about this attack and even stories that appear in state media, including People's Daily?

Mr. Jiang also makes several accusations about GreatFire.org, all of which we would like to address in this letter.

"姜军说,Greatfire.org是境外反华组织创办的反华网站,长期对中国政府进行无端攻击.此次炒作选在国家网信办宣布依法关闭一批违法违规网站、栏目和微信公众账号之时,蓄意引发不满情绪,污蔑指责中国网络空间治理制度”.

Our translation: Jiang Jun said, GreatFire.org is an anti-China website set up by an overseas anti-China organization (1). It has long made groundless charges against Chinese government (2). They (GreatFire.org) timed this incident with an announcement from CAC about the closure of illegal websites, website columns, and public WeChat accounts (3), aiming to incite dissatisfaction and to smear China's cyberspace management system (4).

(1) Three people founded GreatFire.org in 2011 without any help from any external organizations. We were dissatisfied with Internet censorship in China and we decided to fight against it. We are not anti-China but we are anti-censorship in China. Please take the time to read more about the history of our organization.

(2) We've been monitoring and writing about Chinese Internet censorship since 2011. In fact, the main purpose of GreatFire.org is to automatically test internet censorship in China. All of our blog posts are backed up by hard data, collected from automatic testing, manual testing and user reports. As mentioned earlier, we have even provided the full raw data on the most recent MITM attack. This evidence is far from being “groundless”.

(3) Unless you are accusing us of staging this attack, how is it possible that we can "time" the MITM attack with your announcements? Microsoft has confirmed that there was an attack - we simply reported on it in a timely fashion. In fact, this timing provides some indication that CAC is indeed behind the MITM attack. Perhaps the closing of WeChat accounts and the attack on Outlook were part of the same plan?

(4) We do agree on one thing and that is that we are "aiming to incite dissatisfaction and smear China's cyberspace management system". We are here to watch what you are doing, to criticise you when you are wrong and to end online censorship in China. And we are encouraging netizens and companies alike to fight against GFW and Chinese internet censorship in general. We've called for Microsoft, Apple and others to immediately revoke trust for CNNIC certificate authority. Your continued MITM attacks, your denial of your involvement in these attacks, and your baseless accusations against us are only adding to the urgency of revoking trust for CNNIC.

We have also noted that you have instructed Chinese media to discontinue mentions of us in the Chinese press, after you labeled us as “anti-China”. However, no matter what censorship measures you put in place, our voice will continue to be heard by state media, including this mention in the Global Times:

"The Great Firewall is blocking the VPN on the protocol level. It means that the firewall does not need to identify each VPN provider and block its IP addresses. Rather, it can spot VPN traffic during transit and block it," one of the founders of an overseas website which monitors the Internet in China told the Global Times Thursday via e-mail.

We look forward to receiving an apology from you for your groundless slander against us; your “wild guesses and malicious blemishes" will not help solve cyber issues.

Sincerely,

The Team at GreatFire.org